New York — Home Depot said that 56 million debit and credit cards are estimated to have been breached in a data theft between April and September at its stores in the U.S. and Canada. That makes it the second-largest breach for a retailer on record.

The nation’s largest home improvement retailer, based in Atlanta, also confirmed Thursday that the malware used in the data breach has been eliminated. The retailer said there was no evidence that debit PIN numbers were compromised or that the breach affected customers who shopped online at Homedepot.com. It said it has also completed a “major” payment security project that provides enhanced encryption of customers’ payment data in the company’s U.S. stores.

The disclosure puts the data breach behind TJX Cos.’s theft of 90 million records, disclosed in 2007 and ahead of Target’s pre-Christmas 2013 breach which compromised 40 million credit and debit cards.

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable, for fraudulent charges,” said Frank Blake, chairman and CEO in a statement. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”

The breach at Home Depot was first reported Sept. 2 by Brian Krebs of Krebs on Security, a website that focuses on cybersecurity. Krebs said multiple banks reported “evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards” that went on sale on the black market. Later that day, Home Depot said it was working with both banks and law enforcement to investigate “unusual activity” that would point to a hack.

Copyright 2014 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.